Yet Another System Admin Blog

Month: April 2015

I wanted to do something rather easy, or so I thought : use a Dynamic Distribution Group in Exchange, whose member(s) would be some Active Directory group(s). In other words, I want an address mail in my company to send mails to one or many AD groups, but keep those AD groups as is because they have various purposes.

*edit* Following a colleague’s relevant remark: yes there is an easier way to mail-enable a security group but this offers less flexibility. In my case I initially wanted several AD groups to be members of that dynamic Distribution Group. Plus, only Universal groups may be mail-enabled, so well, make your choice with the easy stuff or carry on with this reading.

For this kind of rather specific task , you usually take your favorite search engine, and after some digging among the usual crap on forums, you find your solution quite quickly. But this time it was a bit more tricky, so here’s the summary.

Note: This is for Exchange 2010 and might be (very?) different in Exchange 2013 or later.

So you open your Exchange Management Console (EMC) and quickly notice that the options there are very limited:

Container OU, recipient types, and 18 attributes (15 of which are Custom Attributes)… sooo many options!

OK so, we’ve covered that many times, one magic solution for this kind of blocking issue : PowerShell. Especially for Exchange where it gets heavily promoted. You quickly find the cmdlet New-DynamicDistributionGroup and begin to read through the official documentation. OK , at first glance, same options than in the GUI. And anywhere you might search, it’s always about those damn few basic properties you can filter.

A deeper read into the last linked article brings out the “-Recipientfilter” param, which seems more promising. There, in the Advanced filterable properties you can find “memberofgroup“(LDAP name: memberOf“. Which one should I use, we’ll see that in a moment. Time to build the PowerShell command!

I won’t go through every details of my tiresome quest, so please know the following badly or not documented points:

If you plan to use an AD group which contains only users with mails, you don’t have to specify any “type” of user of mailbox – most sites present this param as mandatory.

For Exchange 2010: the param to put the associated account into the desired OU is -OrganizationalUnit – with a “path string” (domain.ext/OU/OU2) value, not a X500 dir spec (CN=,OU=,etc.). It looks like this param has another name in other versions, check your documentation.

–RecipientFilter accepts a lot of values (see the linked doc above). For AD group it is memberofgroup with a X500 path (Distinguished name). So yeah, in a single command, two parameters requiring different AD dir spec….

Here is my final command (use the Exchange Management Shell with appropriate credentials):

Back to your EMC, open this newly created group’s Properties and go to the Filter tab. There you will see the filter-created-by-the-shell-you-cannot-modify-with-the-EMC” (with options I never specified, but hell..) and if you click the Preview button you will have … nothing.

The reason is: by default, the filter is applied on the same OU containing the Dynamic DG (or the AD group, cannot remember).
Change this container to the OU where the users are actually located! If they are located in many OUs, maybe at a “higher level”, but I haven’t tested this.

My sub-OU “Accounts”, located elsewhere, contains the users members of my AD group.

Then you can check the Preview button again and tadaaaa, the users are appearing.